{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-29T08:26:43.226","vulnerabilities":[{"cve":{"id":"CVE-2026-27482","sourceIdentifier":"security-advisories@github.com","published":"2026-02-21T10:16:12.380","lastModified":"2026-06-17T10:27:13.813","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher."},{"lang":"es","value":"Ray es un motor de cómputo de IA. En las versiones 2.53.0 e inferiores, el servidor HTTP del panel de control bloquea POST/PUT de origen de navegador pero no cubre DELETE, y los endpoints DELETE clave no están autenticados por defecto. Si el panel de control/agente es accesible (p. ej., --dashboard-host=0.0.0.0), una página web a través de la reconfiguración de DNS o el acceso a la misma red puede emitir solicitudes DELETE que apagan Serve o eliminan trabajos sin interacción del usuario. Esto supone un impacto en la disponibilidad de tipo drive-by. La solución para esta vulnerabilidad es actualizar a Ray 2.54.0 o superior."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"ray-project","product":"ray","versions":[{"version":"< 2.54.0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":4.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-24T18:51:47.465400Z","id":"CVE-2026-27482","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-396"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:anyscale:ray:*:*:*:*:*:*:*:*","versionEndExcluding":"2.54.0","matchCriteriaId":"63751A45-3056-49B1-A840-35B9E6782CD1"}]}]}],"references":[{"url":"https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/ray-project/ray/pull/60526","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/ray-project/ray/releases/tag/ray-2.54.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}